Understanding data lifetime via whole system simulation
作者: Tal Garfinkel , Mendel Rosenblum , Kevin Christopher , Ben Pfaff , Jim Chow
DOI:
关键词:
摘要: Strictly limiting the lifetime (i.e. propagation and duration of exposure) sensitive data (e.g. passwords) is an important well accepted practice in secure software development. Unfortunately, there are no current methods available for easily analyzing lifetime, very little information on quality today's with respect to lifetime. We describe a system we have developed through whole simulation called TaintBochs. TaintBochs tracks by "tainting" it at hardware level. Tainting then propagated across operating system, language, application boundaries, permitting analysis handling level. We used analyze several large, real world applications. Among these were Mozilla, Apache, Perl, which process millions passwords, credit card numbers, etc. daily basis. Our investigation reveals that applications components they rely upon take virtually measures limit handle, leaving passwords other scattered throughout user kernel memory. We show how few simple practical changes can greatly reduce
stanford.edu
benpfaff.org
princeton.edu 
jhu.edu 参考文章(22)
David A. Solomon, Mark Russinovich, Inside Microsoft Windows 2000 ,(2000)
Nicholas Nethercote, Julian Seward, Valgrind: A Program Supervision Framework Electronic Notes in Theoretical Computer Science. ,vol. 89, pp. 44- 66 ,(2003) , 10.1016/S1571-0661(04)81042-9
Naveen Sastry, Pete Broadwell, Matt Harren, Scrash: a system for generating secure crash information usenix security symposium. pp. 19- 19 ,(2003)
David Wagner, Kunal Talwar, Jeffrey S. Foster, Umesh Shankar, Detecting format string vulnerabilities with type qualifiers usenix security symposium. pp. 16- 16 ,(2001)
Peter Gutmann, Software generation of practically strong random numbers usenix security symposium. pp. 19- 19 ,(1998)
Peter Gutmann, Data remanence in semiconductor devices usenix security symposium. pp. 4- 4 ,(2001)
Niels Provos, Encrypting virtual memory usenix security symposium. pp. 3- 3 ,(2000)
K. Ashcraft, D. Engler, Using programmer-written compiler extensions to catch security holes ieee symposium on security and privacy. pp. 143- 159 ,(2002) , 10.1109/SECPRI.2002.1004368
Michael Burrows, Stephen N. Freund, Janet L. Wiener, Run-time type checking for binary programs compiler construction. pp. 90- 105 ,(2003) , 10.1007/3-540-36579-6_7
R.T. Fielding, G. Kaiser, The Apache HTTP Server Project IEEE Internet Computing. ,vol. 1, pp. 88- 90 ,(1997) , 10.1109/4236.612229